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Session  objectives 


To  provide  a high  level  overview  and  insight  into  identifying,  managing  and 
controlling  computer  fraud  & security  threats  through  innovative  techniques  and 
legally  accepted  process.  This  session  will  cover  some  of  the  challenges  faced  by 
HR,  Legal  and  Information  Technology  Security  teams  within  Corporate 
Organizations  today,  with  a focus  on  how  Guidance  Software  helps  its  customers 
address,  manage  and  add  value  to  these  challenges,  working  alongside  industry  best 
practices  and  regulatory  requirements  such  as  IS017799,  Basel  Accord  and 
Sarbanes  Oxley. 


But  First 


Why  do  cars  have  brakes  ? 
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Why  do  cars  have  brakes  ? 


Why  do  cars  have  brakes  ? 


Where  do  the  threats  originate  from? 


Foreign  Governments  Fraud  Internal  & External 
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Business  challenges  & drivers 


Intellectual  property 

v Corporate  espionage 

v Organised  crime  / Planted  employees  / Sabotage 

v Control  of  Quarterly  Financials  and  Marketing 
plans 

v Unauthorised  software  and  / or  rootkits 

v Mergers  and  Acquisitions 

v Document  or  data  leakage  to  competitors  / 
Intellectual  property  rights  theft  (IPR) 

Employees 

v Harassing  co  workers 
v Not  doing  their  job  (performance  issues) 
v Violent  acts 

v Inappropriate  content 

v Contractor  employment  controls 

Reliance  upon  contactors  and  individuals  with 
required  expertise 


Corporate  Policy 

v Internal  use 
v Inappropriate  Conduct 

v Interdepartmental  knowledge  and 
information  sharing,  policies  & 
process 

v Identifying  and  locating  the  risks 
to  the  organisation 

Regulatory  compliance 

v SOX 
v IS017799 
v BASEL  II 

v Reducing  risk  / Increasing 
efficiencies 

Leveraging  regional  initiatives  and 
knowledge  share  between  key 
national  infrastructure  organisations 
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Sarbanes  Oxley,  ISO  17799,  Basel  II- 
Why  enterprise  computer  forensics? 


Enterprise  Computer  Forensics  Required  for  Effective  Internal  Investigations 

Congress  enacted  the  Sarbanes-Oxley  Act  of  2002  (“Sarbanes-Oxley”)  to  protect  investors  by  combating 
corporate  crime  and  improving  corporate  governance.2  Sarbanes-Oxley  requires  companies  to  implement 
extensive  corporate  governance  policies  to  prevent  and  respond  to  fraudulent  activity  within  the  company, 
including  vigilant  self-policing  to  deter  and  quickly  investigate  and  contain  internal  financial  fraud. 3 For  example, 
Sarbanes-Oxley  expressly  requires  publicly  traded  companies  to  create  anonymous  hotlines  for  the  reporting  of 
fraud,  to  investigate  those  instances  of  fraud,  and  certify  that  they  have  disclosed  any  instances  of  fraud 
involving  management  and  other  key  employees  to  the  Board  of  Directors. 

Well  before  the  enactment  of  Sarbanes-Oxley,  courts  recognized  the  importance  of  preserving  electronic  data  in 
connection  with  litigation,  including  securities  fraud  investigations.  For  example,  in  In  re  Bristol-Myers  Squibb 
Securities  Litigation,  12  the  court  determined  that  the  discovery  of  computer  evidence  was  critical  to  ensure  a 
proper  investigation  of  alleged  corporate  fraud.  The  court  noted  that  as  the  vast  majority  of  documentation  now 
exists  in  electronic  form,  electronic  evidence  discovery  should  be  considered  a standard  and  routine 
practice  going  forward. 13  The  provisions  of  Sarbanes-Oxley  will  certainly  induce  courts  and  auditors  to  look 
closely  at  a company’s  ability  to  forensically  preserve  and  analyze  electronic  data. 

Other  agencies  and  groups  have  also  adopted  standards  regarding  computer  forensics.  The  leading 
international  information  security  best  practices  standard,  IS0 17799,  calls  on  enterprises  to  use  computer 
forensics  to  preserve  the  admissibility  of  evidence. 
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Enterprise  Products 


Data  at  rest 


Forensic  concurrent  connections  let  you: 

Discreetly  investigate  and  analyze  many 
machines  simultaneously  at  a disk  level 

v Acquire  and  preserve  data  in  a forensically 
sound  (court-accepted)  manner 

Proactively  audit  groups  of  machines  for 
sensitive  information 


Volatile  data 


Snapshot  concurrent  connections  let  you: 

v Scan  more  than  10,000  machines  in  30  minutes 

v Rapidly  identify  all  trusted,  untrusted  and 
unknown  data 

Integrate  with  IDS/SIM  tools  to  provide 
actionable  real  time  incident  response 
capabilities 


The  Guidance  Software  Proposition 


“We  provide  an  Investigative  Infrastructure  that  lowers  the  cost  and  response 
time  while  increasing  the  breadth  and  depth  of  computer  related  investigations 
and  incident  response...  with  the  overall  goal  of  reducing  operational  risk” 
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Fraud  Detection  and  Mitigation 


Intellectual  property  issues  such  as: 

v Corporate  espionage 

v Quarterly  Financials  and  Marketing  plans 

v Mergers  and  Acquisitions 

v Drug  research 

Employee  integrity 

v Harassing  co  workers 

Not  doing  their  job  (performance  issues) 
v Violent  acts 
v Inappropriate  content 


Corporate  Policy 

v Internal  use 

In  appropriate  Conduct 
v Organizational  Deterrent 

Regulatory  compliance 

v SOX 
v IS017799 
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Detection  and  Prevention 


PERCEPTION 

BLOCKING 


Outsiders 

Employees 

Partners 

Executives 


Sources 
of  Threat 


Physical  and 
Virtual  Barriers 

v Barriers  prevent 
access  to  all  but 

the  most  skilled 


DETERRENTS 
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Policy 
and  Laws 

v Deterrents  prevent 
access  to  all  but  the 

most  determined 


DETECTION 


Audits 


m 

flff 

W 

£4 

W- 


Intellectual 

Property 


m 

m 

M 


$$$ 


W- 

F# 




Reputation. 


Assets 


v Detection  prevents 
access  to  all  but  the 

most  stealthy 


Guidance 

L ~^2  Software 


Detection  and  Prevention 


REALITY 


Physical  and 
Virtual  Barriers 


Policy 
and  Laws 


v Most  sources  of  fraud  are 
on  the  wrong  side  of  the 
barrier. 


v Inside  sources  are 

not  deterred  by 

policies  and  laws. 


DETECTION 


Intellectual 

Property 

$$$ 

Reputation 


Sampling  Assets 

Audits 


Based  on  sampling 
audits,  detection  is 
Swiss  cheese, 
further  undermining 
deterrents. 


As  the  likelihood  of 
detection  decreases, 
so  does  the  power  to  deter 
by  using  punishments. 
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Case  Study: 

Synopsys  (IP  Theft) 


Issue: 

Synopsys  believed  that  a former  employee  removed  files  containing  corporate  secrets  from  their 
network  and  used  these  secrets  to  establish  ‘Nassda’  and  creating  a competitive  product. 

Problem: 

Synopsys  needed  to  prove  that  the  former  employees  had  in  fact  removed  the  sensitive  data  from 
their  network  and  then  used  it  to  build  Nassda’s  business. 

Size  of  the  challenge: 

Nassda  was  for  obvious  reasons  less  than  cooperative  and  by  the  time  Guidance  Software  got 
involved  the  case  was  more  that  two  years  old  a lots  of  computer  evidence  had  been  lost  or 
erased. 

Our  solution: 

Using  EnCase  Enterprise  and  a court  order  Guidance  Software  was  able  to  search  through 
Nassda  systems  and  locate  documents  identical  to  those  on  Synopsys’  network. 

Result: 

“The  terms  of  the  deal  call  for  Synopsys  to  acquire  Nassda  (including  its  $100  million  cash 
reserves)  for  $192  million,  and  for  Nassda's  co-founders  - all  of  whom  were  one-time  Synopsys 
employees  - to  pay  Synopsys  a $61  million  settlement.  The  net  purchase  price  of  $30  million 
compares  favorably  to  Nassda's  earlier  market  cap  of  $500  million” 

— CBS  MarketWatch 
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Case  Study: 

Network  Associates  (M&A) 


Customer: 

Network  Associates 

Issue: 

Contracted  to  sell  its  Sniffer  Technologies  unit  for  $275  million. 

Problem: 

The  contractual  terms  required  Network  Associates  to  ensure  that  none  of  Sniffer’s  source  code 
remained  on  Network  Associates’  computer  systems. 

Size  of  the  challenge: 

5,000  computers  in  20  different  locations  worldwide  (100  TB). 

Our  solution: 

Guidance  Software  Professional  Services  used  the  eDiscovery  suite  containing  all  the  relevant 
search  terms. 


Result: 

Guidance  Software  completed  the  engagement  in  4 weeks  and  significantly  under  budget.  105 
dirty  machines  were  found. 


"EnCase  Enterprise  saved  us  more  than  $1  million  in  the  first  six  months  of  its  use.  It  also  allowed  us 
to  complete  a critical  M&A  discovery  issue  that  would  have  been  impossible  with  any  other 

software  or  services  options  in  the  market  today. " 

- Ted  Barlow,  CSO  & VP,  Risk  Management,  Network  Associates 
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Computer  Related  Incident  Response 


Automated  Incident  Response 


Compromise  Assessment 


Single  Machine  Incident  response  (confirm/deny 
an  event  took  place) 

v Automatically  responding  to  events  from  IDS 
and  SIMs 

v Automatically  responding  to  events  from  content 
management  systems 


v Breadth  of  the  compromise 
v Remediation 

Documentation  / closing  the  response  loop 
(future  controls  and  best  practices) 


v Enables  complete  remediation 
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IR  process  — Broken 


Dirty  Network 


Write/Rewrite 


IDS/SIM 


Manual 

Process 


Zero  Day  Event 


Source  of  Problem 
Never  Detected 


Partial  Response 

Partial 

Policies 

Cleanup 

Hire  Consultants, 
$$$,  Network 
Downtime 


EVENT 
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IR  process  — Best  Practice 


Write/Rewrite 


IDS/SIM 


Clean  Network 


Scan  entire  network 
for  similar  exploits 


Response 

Enterprise  Wide 

Policy 

Cleanup 

Investigate 

infected 

machines 


Hacker, 

Rogue  Employee, 
Zero  Day  Event 
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Automated  Incident  Response 


AIRS  Architecture 


'(Vib  Ripnri.ir 
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Incident  Response 


v Where  EnCase  Enterprise  fits  into  the  security  landscape 
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Case  Study: 

The  Hartford  (Incident  Response) 


Issue: 

Conducting  efficient  incident  response  on  a large  distributed  network  without 
disrupting  operations 

Problem: 

During  a zero  day  incident  the  Hartford  needed  to  locate  and  remediate  a 
worm  prior  to  getting  the  signature  from  their  anti-virus  company 

Size  of  the  challenge: 

30,000  node  network 

Our  solution: 

EnCase  Enterprise  with  servlets  deployed  throughout  their  network. 

Result: 

During  a worm  outbreak  the  Hartford  was  able  to  scan  30,000  nodes  to 
identify  compromised  machines  and  establish  a timeline  of  the  machine  that 
introduced  the  worm  into  their  environment.  After  identifying  compromised 
machines  they  were  able  to  remediate  the  malicious  worm  quickly  without 
disrupting  business  operations  or  quarantining  workstations/servers. 


The  Enterprise  Investigative  Infrastructure 


Processes 


Standalone 

Forensics 


Network  Forensic 
Investigations 


eDiscovery 

Information 

Assurance 


Implementation  Options 


Un -integrated 

Integrated 
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Point  Solutions 
Error  prone 
Multiple  deployments 
High  maintenance 

s 
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Reliance  upon  technical 

contractors 

Process  Minded, 
Modular,  Integrated 
Solutions 

Result:  Wasted  revenue,  Result:  Complete 

time  and  No  Intelligence  integrated  and 

Across  Solutions,  Risk  business  focused 
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The  power  of  One  - a collective  approach 


Human  Resources 

Legal  Team 

Incident  Response/ 
Forensics  Team 
CIRT 

Information  Security 
Team 

Fraud  Team 

Procurement  Team 

Network  Team 
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Session  Summary 


v Identify  and  Mitigate  Risks 

Conduct  network-enabled  forensic  investigations  for  anything,  anywhere,  anytime 
Disqualify  unnecessary  investigations 
Conduct  network-enabled  HR  investigations 
Contain  and  reduce  corporate  fraud 

v Employ  a Proactive  Approach  to  Enterprise  Investigations 

Conduct  network-enabled  document  discovery 
Discovering  documentation  related  to  legal  issues 

Support  Information  Assurance  efforts  in  a much  more  cost  effective  manner  with  no  business 
disruption 

v Compliance 

Meet  regulatory  mandates  to  demonstrate  due  care  and  limit  loss 

Effectively  and  efficiently  validate  and  enforce  corporate  computer  use  polices 

Utilise  regional  directives  and  initiatives.  Knowledge  share  to  address  common  threats 

Automate  Inefficient  Processes 

Respond  immediately  to  Zero  Day  events 

Perform  a complete  compromise  assessments  after  a security  intrusion 
Reducing  business  disruption  and  losses  due  to  security  breaches 
Respond  to  more  security  incidents  with  less  manpower 


. Guidance 


S DFTWARE 


Guidance 

Software 


Thank  you 


graham.hughes@guidancesoftware.com 

www.guidancesoftware.com 
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